Friday, November 01, 2013

toolsmith: OWASP Xenotix XSS Exploit Framework

Prerequisites

Current Windows operating system

Introduction

Hard to believe this month’s toolsmith marks seven full
years of delivering dynamic content and covering timely topics on the perpetually
changing threat-scape information security practitioners face every day. I’ve
endeavored to aid in that process 94 straight months in a row, still enjoy
writing toolsmith as much as I did day one, and look forward to many more to
come. How better to roll into our eighth year than by zooming back to one of my
favorite topics, cross-site scripting (XSS), with the OWASP Xenotix XSS Exploit
Framework. I’d asked readers and Twitter followers to vote for November’s topic
and Xenotix won by quite a majority. This was timely as I’ve also seen renewed
interest in my Anatomy of an XSS Attack
published in the ISSA Journal more than five years ago in June 2008. Hard to
believe XSS vulnerabilities still prevail but according to WhiteHat Security’s
May 2013 Statistics report:

1)While
no longer the most prevalent vulnerability, XSS is still #2 behind only Content
Spoofing

2)While
50% of XSS vulnerabilities were resolved, up from 48% in 2011, it still took an
average of 227 for sites to deploy repairs

Per the 2013 OWASP Top 10, XSS is
still #3 on the list. As such, good tools for assessing web applications for
XSS vulnerabilities remain essential, and OWASP Xenotix XSS Exploit Framework
fits the bill quite nicely.

Ajin Abraham (@ajinabraham) is Xenotix’s developer and project lead; his
feedback on this project supports the ongoing need for XSS awareness and
enhanced testing capabilities.

According to Ajin, most of the current pool of web application
security tools still don't give XSS the full attention it deserves, an
assertion he supports with their less than optimal detection rates and a high
number of false positive. He has found that most of these tools use a payload
database of about 70-150 payloads to scan for XSS. Most web application scanners,
with the exception of few top notch proxies such as OWASP ZAP and
Portswigger’s Burp Suite, don't provide
much flexibility especially when dealing with headers and cookies. They typically
have a predefined set of protocols or rules to follow and from a penetration
tester’s perspective can be rather primitive. Overcoming some of these shortcomings
is what led to the OWASP Xenotix XSS Exploit Framework.

Xenotix is a penetration testing tool developed
exclusively to detect and exploit XSS vulnerabilities. Ajin claims that Xenotix
is unique in that it is currently the only XSS vulnerability scanner with zero false
positives. He attributes this to the fact that it uses live payload reflection-based
XSS detection via its powerful triple browser rendering engines, including
Trident, WebKit and Gecko. Xenotix apparently hasthe
world's second largest XSS payload database, allowing effective XSS detection
and WAF bypass. Xenotix is also more than a vulnerability scanner as it also includes
offensive XSS exploitation and information gathering modules useful in
generating proofs of concept.

For feature releases Ajin intends to implement additional
elements such as an automated spider and an intelligent scanner that can choose
payloads based on responses to increase efficiency and reduce overall scan
time. He’s also working on an XSS payload inclusive of OSINT gathering which
targets certain WAF's and web applications with specific payloads, as well as a
better DOM scanner that works within the browser. Ajin welcomes support from
the community. If you’re interested in the project and would like to contribute
or develop, feel free to contact him via @ajinabraham, the OWASP Xenotix site, or the
OpenSecurity site.

Xenotix Configuration

Xenotix installs really easily. Download the latest
package (4.5 as this is written), unpack the RAR file, and execute Xenotix XSS Exploit Framework.exe. Keep in
mind that antimalware/antivirus on Windows systems will detect xdrive.jar as a Trojan Downloader.
Because that’s what it is. ;-) This is an enumeration and exploitation tool
after all. Before you begin, watch Ajin’s YouTube video
regarding Xenotix 4.5 usage. There is no written documentation for this tool so
the video is very helpful. There are additional videos for
older editions that you may find useful as well. After installation, before you
do anything else, click Settings,
then Configure Server, check the
Semi Persistent Hook box, then
click Start. This will allow you
to conduct information gathering and exploitation against victims once you’ve
hooked them.

Xenotix utilizes the Trident engine (Internet Explorer
7), the Webkit engine (Chrome 25), and the Gecko engine (Firefox 18), and
includes three primary module sets: Scanner,
Information Gathering, and XSS Exploitation as seen in Figure 1.

These steps assume you’ve installed Mutillidae II
somewhere, ideally on a virtual machine, and are prepared to experiment as we
walk through Xenotix here.

Let’s begin with the Scanner
modules. Using Mutillidae’s DNS Lookup
under OWASP Top 10àA2 Cross Site Scripting (XSS)àReflected (First Order)àDNS Lookup. The vulnerable GET
parameter is page and on POST is
target_host. Keep in mind that as
Xenotix will confirm vulnerabilities across all three engines, you’ll be hard
pressed to manage output, particularly if you run in Auto Mode; there is no real reporting function with this
tool at this time. I therefore suggest testing in ManualMode.
This allows you to step through each payload and as seen Figure 2, we get our
first hit with payload 7 (of 1530).

FIGURE 2: Xenotix
manual XSS scanning

You can also try the XSS
Fuzzer where you replace parameter values with a marker, [X], and fuzz
in Auto Mode. The XSS Fuzzer allows you to skip ahead to
a specific payload if you know the payload position index. Circling back to the
above mentioned POST parameter, I used the POST
Request Scanner to build a request, establishing http://192.168.40.139/mutillidae/index.php?page=dns-lookup.php
as the URL and setting target_host
in Parameters. Clicking POST
then populated the form as noted in Figure 3 and as with Manual mode, our first
hits came with payload 7.

FIGURE 3: Xenotix POST
Request Scanner

You can also make use of Auto
Mode, as well as DOM, Multiple Parameter, and Header Scanners, as well as a Hidden Parameter Detector.

The Information
Gathering modules are where we can really start to have fun with
Xenotix. You first have to hook a victim browser to make use of this tool set.
I set the Xenotix server to the host IP where Xenotix was running (rather than
the default localhost setting) and checked the Semi
Persistent Hook checkbox. The resulting payload of

was then used with Mutillidae’s Pen
Test Tool Lookup to hook a victim browser on a different system running
Firefox on Windows 8.1. With the browser at my beck and call, I clicked Information Gathering where the Victim Fingerprinting module produced:

Again, entirely accurate. The Information
Gathering modules also include WAF
Fingerprinting, as well as Ping,
Port, and Internal Network Scans. Remember that,
as is inherent to its very nature, these scans occur in the context of the
victimized browser’s system as a function of cross-site scripting.

Saving the most fun for last,
let’s pwn this this thang! A quick click of XSS
Exploitation offers us a plethora of module options. Remember, the
victim browser is still hooked (xooked) via:

I sent my victim browser a message as depicted in Figure 4 where I snapped the Send Message configuration and the
result in the hooked browser.

FIGURE 4: A celebratory XSS message

Message boxes are cute, Tabnabbing
is pretty darned cool, but what does real exploitation look like? I first fired
up the Phisher module with
Renren (the Chinese Facebook) as my target site, resulting in a Page Fetched and Injected message and
Renren ready for login in the victim browser as evident in Figure 5. Note that
my Xenotix server IP address is the destination IP in the URL window.

Your Renren is my Renren.
What? Credential theft is not enough for you? You want to deliver an executable
binary? Xenotix includes a safe, handy sample.exe
to prove your point during demos for clients and/or decision makers. Still not
convinced? Need shell? You can choose from JavaScript,
Reverse HTTP, and System Shell Access. My favorite, as
shared in Figure 7, is reverse shell via a Firefox bootstrapped add-on as
delivered by XSS Exploitation-->System Shell Access-->Firefox Add-on Reverse Shell. Just Start Listener, then Inject (assumes a hooked browser).

FIGURE 7: Got shell?

Assuming the victim happily
accepts the add-on installation request (nothing a little social engineering
can’t solve), you’ll have system level access. This makes pentesters very
happy. There are even persistence options via Firefox add-ons, more fun than a
frog in a glass of milk.

In Conclusion

While this tool won’t replace proxy scanning platforms
such as Burp or ZAP, it will enhance them most righteously. Xenotix is GREAT
for enumeration, information gathering, and most of all, exploitation. Without
question add the OWASP Xenotix XSS Exploit Framework to your arsenal and as
always, have fun but be safe. Great work, Ajin, looking forward to more, and
thanks to the voters who selected Xenotix for this month’s topic. If you have
comments, follow me on Twitter via @holisticinfosec or email if you have
questions via russ at holisticinfosec dot org.

3 comments:

Hi! I wonder if you know: 1) how much it take to Xenotix to perform an attack? 2) which of all its exploiting vulnerabilities strategies is the best? 3) can I have more than one exploit proccesses working at the same time?

1. What are you referring to? The Scanner Module to detect XSS or the Exploitation Module for performing the attack.

Detecting XSS on a web application depends on the payloads and the type of filters or WAF's it uses. And when considering the Exploitation Module, you can perform an attack as long as you can xook a victim.

2.That depends. Some exploitation modules are operating system or browser dependent. So you could select a module based on your requirements and suitable for the platform or browser.

3.Some modules of the Exploitation Framework can work parallel and some cannot. You can check and verify this by opening the xss.js file while you run the Exploitation Framework.

What is the best Toolmsith tool of the last ten years?

ASJA Awards Prize Winning Article

Subscribe To HolisticInfoSec

About Me

Russ McRee runs the Blue Team for Microsoft's Windows and Devices Group (WDG). He writes the monthly column toolsmith. Russ has spoken infosec events such Defcon, Black Hat, RSA,and FIRST and has published in the likes of Information Security, Linux Magazine, (IN)SECURE, and SysAdmin. As an advocate of a holistic approach to information security, Russ' website is holisticinfosec.org.
He also serves as a volunteer handler for the SANS Internet Storm Center.